mul_by_xi optimizations

Author: shramee

Diff for: src/bench.cairo

@@ -17,29 +17,29 @@
 // test bn::bench::fq02::sqru ... ok (gas usage est.: 56750)
 // test bn::bench::fq02::sub ... ok (gas usage est.: 10500)
 // test bn::bench::fq06::add ... ok (gas usage est.: 59460)
-// test bn::bench::fq06::inv ... ok (gas usage est.: 2087070)
-// test bn::bench::fq06::mul ... ok (gas usage est.: 1251820)
-// test bn::bench::fq06::mulu ... ok (gas usage est.: 1107880)
-// test bn::bench::fq06::sqr ... ok (gas usage est.: 966130)
-// test bn::bench::fq06::sqru ... ok (gas usage est.: 822190)
+// test bn::bench::fq06::inv ... ok (gas usage est.: 2081670)
+// test bn::bench::fq06::mul ... ok (gas usage est.: 1249220)
+// test bn::bench::fq06::mulu ... ok (gas usage est.: 1105280)
+// test bn::bench::fq06::sqr ... ok (gas usage est.: 963530)
+// test bn::bench::fq06::sqru ... ok (gas usage est.: 819590)
 // test bn::bench::fq06::sub ... ok (gas usage est.: 31500)
 // test bn::bench::fq12::add ... ok (gas usage est.: 128220)
-// test bn::bench::fq12::inv ... ok (gas usage est.: 6602290)
-// test bn::bench::fq12::kdcmp ... ok (gas usage est.: 1232580)
-// test bn::bench::fq12::ksqr ... ok (gas usage est.: 1281820)
-// test bn::bench::fq12::mul ... ok (gas usage est.: 4097360)
-// test bn::bench::fq12::sqr ... ok (gas usage est.: 3073140)
-// test bn::bench::fq12::sqrc ... ok (gas usage est.: 2254450)
+// test bn::bench::fq12::inv ... ok (gas usage est.: 6584690)
+// test bn::bench::fq12::kdcmp ... ok (gas usage est.: 1230780)
+// test bn::bench::fq12::ksqr ... ok (gas usage est.: 1276420)
+// test bn::bench::fq12::mul ... ok (gas usage est.: 4087960)
+// test bn::bench::fq12::sqr ... ok (gas usage est.: 3066340)
+// test bn::bench::fq12::sqrc ... ok (gas usage est.: 2247250)
 // test bn::bench::fq12::sub ... ok (gas usage est.: 74900)
-// test bn::bench::fq12::xp_t ... ok (gas usage est.: 163609970)
-// test bn::bench::fq12::z_esy ... ok (gas usage est.: 15899220)
-// test bn::bench::fq12::z_hrd ... ok (gas usage est.: 541911430)
+// test bn::bench::fq12::xp_t ... ok (gas usage est.: 163091970)
+// test bn::bench::fq12::z_esy ... ok (gas usage est.: 15862820)
+// test bn::bench::fq12::z_hrd ... ok (gas usage est.: 540241830)
 // test bn::bench::u512::add ... ok (gas usage est.: 7490)
 // test bn::bench::u512::add_bn ... ok (gas usage est.: 15390)
 // test bn::bench::u512::fq_add ... ok (gas usage est.: 5480)
 // test bn::bench::u512::fq_n2 ... ok (gas usage est.: 400)
 // test bn::bench::u512::fq_sub ... ok (gas usage est.: 5480)
-// test bn::bench::u512::mxi ... ok (gas usage est.: 96100)
+// test bn::bench::u512::mxi ... ok (gas usage est.: 95100)
 // test bn::bench::u512::sub ... ok (gas usage est.: 7490)
 // test bn::bench::u512::sub_bn ... ok (gas usage est.: 15390)
 

Diff for: src/curve.cairo

@@ -135,9 +135,9 @@ fn u512_reduce_bn(a: u512) -> u256 {
 }
 
 #[inline(always)]
-fn u512_scl_9(a: u512) -> u512 {
+fn u512_scl_9(a: u512, field_nz: NonZero<u256>) -> u512 {
     let u512 { limb0, limb1, limb2: low, limb3: high, } = a;
-    let u256 { low: limb2, high: limb3 } = reduce(u256 { high, low }, FIELD.try_into().unwrap());
+    let u256 { low: limb2, high: limb3 } = reduce(u256 { high, low }, field_nz);
     let (result, overflow) = u512_scl(u512 { limb0, limb1, limb2, limb3, }, 9);
 
     if (overflow == 0) {
@@ -149,9 +149,16 @@ fn u512_scl_9(a: u512) -> u512 {
 
 // ξ = 9 + i
 fn mul_by_xi(t: (u512, u512)) -> (u512, u512) {
+    let field_nz = FIELD.try_into().unwrap();
     let (t0, t1): (u512, u512) = t;
-    (u512_scl_9(t0) - t1, //
-     t0 + u512_scl_9(t1))
+    (u512_scl_9(t0, field_nz) - t1, //
+     t0 + u512_scl_9(t1, field_nz))
+}
+
+fn mul_by_xi_nz(t: (u512, u512), field_nz: NonZero<u256>) -> (u512, u512) {
+    let (t0, t1): (u512, u512) = t;
+    (u512_scl_9(t0, field_nz) - t1, //
+     t0 + u512_scl_9(t1, field_nz))
 }
 
 #[inline(always)]
@@ -163,6 +170,15 @@ fn mul_by_v(
     (mul_by_xi(t2), t0, t1,)
 }
 
+#[inline(always)]
+fn mul_by_v_nz(
+    t: ((u512, u512), (u512, u512), (u512, u512)), field_nz: NonZero<u256>
+) -> ((u512, u512), (u512, u512), (u512, u512)) {
+    // https://github.com/paritytech/bn/blob/master/src/fields/fq6.rs#L110
+    let (t0, t1, t2) = t;
+    (mul_by_xi_nz(t2, field_nz), t0, t1)
+}
+
 #[inline(always)]
 fn mul(a: u256, b: u256) -> u256 {
     m::mul_nz(a, b, field_nz())

Diff for: src/fields/fq_12.cairo

@@ -7,7 +7,7 @@ use bn::fields::{Fq6, fq6, Fq6Utils, fq2, Fq6Frobenius, Fq6MulShort, Fq6Short};
 use bn::fields::frobenius::fp12 as frob;
 use bn::curve::{FIELD};
 use bn::curve::{
-    u512, U512BnAdd, Tuple2Add, Tuple3Add, U512BnSub, Tuple2Sub, Tuple3Sub, u512_reduce, mul_by_v
+    u512, U512BnAdd, Tuple2Add, Tuple3Add, U512BnSub, Tuple2Sub, Tuple3Sub, u512_reduce, mul_by_v_nz
 };
 use debug::PrintTrait;
 
@@ -174,16 +174,16 @@ impl Fq12Ops of FieldOps<Fq12> {
     fn mul(self: Fq12, rhs: Fq12) -> Fq12 {
         core::internal::revoke_ap_tracking();
         // Input: a = (a0 + a1i) and b = (b0 + b1i) ∈ Fp2 Output: c = a·b = (c0 +c1i) ∈ Fp2
+        let field_nz = FIELD.try_into().unwrap();
+
         let Fq12 { c0: a0, c1: a1 } = self;
         let Fq12 { c0: b0, c1: b1 } = rhs;
 
         let U = a0.u_mul(b0);
         let V = a1.u_mul(b1);
 
-        let C0 = mul_by_v(V) + U;
+        let C0 = mul_by_v_nz(V, field_nz) + U;
         let C1 = (a0 + a1).u_mul(b0 + b1) - U - V;
-
-        let field_nz = FIELD.try_into().unwrap();
         Fq12 { //
          c0: C0.to_fq(field_nz), //
          c1: C1.to_fq(field_nz), //
@@ -192,21 +192,24 @@ impl Fq12Ops of FieldOps<Fq12> {
 
     fn sqr(self: Fq12) -> Fq12 {
         core::internal::revoke_ap_tracking();
+        let field_nz = FIELD.try_into().unwrap();
+
         let Fq12 { c0: a0, c1: a1 } = self;
 
         // Complex squaring
         let V = a0.u_mul(a1);
         // (a0 + a1) * (a0 + βa1) - v - βv
-        let C0 = (a0 + a1).u_mul(a0 + a1.mul_by_nonresidue()) - V - mul_by_v(V);
+        let C0 = (a0 + a1).u_mul(a0 + a1.mul_by_nonresidue()) - V - mul_by_v_nz(V, field_nz);
         // 2v
         let C1 = V + V;
-        let field_nz = FIELD.try_into().unwrap();
         Fq12 { c0: C0.to_fq(field_nz), c1: C1.to_fq(field_nz) }
     }
 
     fn inv(self: Fq12, field_nz: NonZero<u256>) -> Fq12 {
         core::internal::revoke_ap_tracking();
-        let t = (self.c0.u_sqr() - mul_by_v(self.c1.u_sqr())).to_fq(field_nz).inv(field_nz);
+        let t = (self.c0.u_sqr() - mul_by_v_nz(self.c1.u_sqr(), field_nz))
+            .to_fq(field_nz)
+            .inv(field_nz);
 
         Fq12 { c0: self.c0 * t, c1: -(self.c1 * t), }
     }

Diff for: src/fields/fq_12_expo.cairo

@@ -5,7 +5,7 @@ use bn::traits::FieldShortcuts;
 use bn::traits::FieldMulShortcuts;
 use core::array::ArrayTrait;
 use bn::curve::{t_naf, FIELD, FIELD_X2};
-use bn::curve::{u512, mul_by_xi, mul_by_v, U512BnAdd, U512BnSub, Tuple2Add, Tuple2Sub,};
+use bn::curve::{u512, mul_by_xi_nz, mul_by_v, U512BnAdd, U512BnSub, Tuple2Add, Tuple2Sub,};
 use bn::curve::{u512_add, u512_sub, u512_high_add, u512_high_sub, U512Fq2Ops};
 use bn::fields::{FieldUtils, FieldOps, fq, Fq, Fq2, Fq6, Fq12, fq12, Fq12Frobenius};
 use bn::fields::{TFqAdd, TFqSub, TFqMul, TFqDiv, TFqNeg, TFqPartialEq,};
@@ -149,7 +149,7 @@ impl Fq12FinalExpo of FinalExponentiationTrait {
             Fq12 { c0: Fq6 { c0: g0, c1: g4, c2: g3 }, c1: Fq6 { c0: g2, c1: g1, c2: g5 } }
         } else {
             // g1 = (S5ξ + 3S4 - 2g3)/4g2
-            let S5xi = mul_by_xi(g5.u_sqr());
+            let S5xi = mul_by_xi_nz(g5.u_sqr(), field_nz);
             let S4 = g4.u_sqr();
             let Tmp = S4.u512_sub_fq(g3); // S4 - g3
             let g1: Fq2 = (S5xi + S4.u_add(Tmp.u_add(Tmp))).to_fq(field_nz); // (S5ξ + 3S4 - 2g3)
@@ -183,18 +183,18 @@ impl Fq12FinalExpo of FinalExponentiationTrait {
         let S2_3: (u512, u512) = (g2 + g3).u_sqr();
 
         // h1 = 3 * g3² + 3 * nr * g2² - 2*g1
-        let Tmp = S3 + mul_by_xi(S2); // g3² + nr * g2²
+        let Tmp = S3 + mul_by_xi_nz(S2, field_nz); // g3² + nr * g2²
         let h1 = X2(Tmp.u512_sub_fq(g1)) + Tmp;
         let h1 = h1.to_fq(field_nz);
 
         // h2 = 3 * nr * g5² + 3 * g1² - 2*g2
-        let Tmp = mul_by_xi(S5) + S1; // nr * g5² + g1²
+        let Tmp = mul_by_xi_nz(S5, field_nz) + S1; // nr * g5² + g1²
         let h2 = X2(Tmp.u512_sub_fq(g2)) + Tmp;
         let h2 = h2.to_fq(field_nz);
 
         // 2 * g1 * g5 = (S1_5 - S1 - S5)
         // h3 = 6 * nr * g1 * g5 + 2*g3
-        let Tmp = mul_by_xi(S1_5 - S1 - S5); // 2 * g1 * g5
+        let Tmp = mul_by_xi_nz(S1_5 - S1 - S5, field_nz); // 2 * g1 * g5
         let h3 = X2(Tmp.u512_add_fq(g3)) + Tmp;
         let h3 = h3.to_fq(field_nz);
 
@@ -226,17 +226,17 @@ impl Fq12FinalExpo of FinalExponentiationTrait {
         let S2_3: (u512, u512) = (g2 + g3).u_sqr();
 
         // h2 = 3(S4_5 − S4 − S5)ξ + 2g2;
-        let Tmp = mul_by_xi(S4_5 - S4.u_add(S5));
+        let Tmp = mul_by_xi_nz(S4_5 - S4.u_add(S5), field_nz);
         let h2 = X2(Tmp.u512_add_fq(g2)) + Tmp;
         let h2 = h2.to_fq(field_nz);
 
         // h3 = 3(S4 + S5ξ) - 2g3;
-        let Tmp = S4 + mul_by_xi(S5);
+        let Tmp = S4 + mul_by_xi_nz(S5, field_nz);
         let h3 = X2(Tmp.u512_sub_fq(g3)) + Tmp;
         let h3 = h3.to_fq(field_nz);
 
         // h4 = 3(S2 + S3ξ) - 2g4;
-        let Tmp = S2 + mul_by_xi(S3);
+        let Tmp = S2 + mul_by_xi_nz(S3, field_nz);
         let h4 = X2(Tmp.u512_sub_fq(g4)) + Tmp;
         let h4 = h4.to_fq(field_nz);
 
@@ -311,21 +311,27 @@ impl Fq12FinalExpo of FinalExponentiationTrait {
         // let tmp = z0 * z1;
         let Tmp = z0.u_mul(z1);
         // let t0 = (z0 + z1) * (z1.mul_by_nonresidue() + z0) - tmp - tmp.mul_by_nonresidue();
-        let T0 = z0.u_add(z1).u_mul(z1.mul_by_nonresidue().u_add(z0)) - Tmp - mul_by_xi(Tmp);
+        let T0 = z0.u_add(z1).u_mul(z1.mul_by_nonresidue().u_add(z0))
+            - Tmp
+            - mul_by_xi_nz(Tmp, field_nz);
         // let t1 = tmp + tmp;
         let T1 = Tmp + Tmp;
 
         // let tmp = z2 * z3;
         let Tmp = z2.u_mul(z3);
         // let t2 = (z2 + z3) * (z3.mul_by_nonresidue() + z2) - tmp - tmp.mul_by_nonresidue();
-        let T2 = z2.u_add(z3).u_mul(z3.mul_by_nonresidue().u_add(z2)) - Tmp - mul_by_xi(Tmp);
+        let T2 = z2.u_add(z3).u_mul(z3.mul_by_nonresidue().u_add(z2))
+            - Tmp
+            - mul_by_xi_nz(Tmp, field_nz);
         // let t3 = tmp + tmp;
         let T3 = Tmp + Tmp;
 
         // let tmp = z4 * z5;
         let Tmp = z4.u_mul(z5);
         // let t4 = (z4 + z5) * (z5.mul_by_nonresidue() + z4) - tmp - tmp.mul_by_nonresidue();
-        let T4 = z4.u_add(z5).u_mul(z5.mul_by_nonresidue().u_add(z4)) - Tmp - mul_by_xi(Tmp);
+        let T4 = z4.u_add(z5).u_mul(z5.mul_by_nonresidue().u_add(z4))
+            - Tmp
+            - mul_by_xi_nz(Tmp, field_nz);
         // let t5 = tmp + tmp;
         let T5 = Tmp + Tmp;
 
@@ -337,7 +343,7 @@ impl Fq12FinalExpo of FinalExponentiationTrait {
         let Z1 = Z1 + Z1;
         let Z1 = Z1 + T1;
 
-        let Tmp = mul_by_xi(T5);
+        let Tmp = mul_by_xi_nz(T5, field_nz);
         let Z2 = Tmp.u512_add_fq(z2);
         let Z2 = Z2 + Z2;
         let Z2 = Z2 + Tmp;

Diff for: src/fields/fq_2.cairo

@@ -110,6 +110,7 @@ impl Fq2Short of FieldShortcuts<Fq2> {
          }
     }
 
+    #[inline(always)]
     fn fix_mod(self: Fq2) -> Fq2 {
         // Operation without modding can only be done like 4 times
         Fq2 { //

Diff for: src/fields/fq_6.cairo

@@ -1,7 +1,7 @@
 use bn::curve::{FIELD};
 use bn::curve::{
-    U512Fq2Ops, u512, U512BnAdd, Tuple2Add, U512BnSub, Tuple2Sub, mul_by_xi, u512_reduce, u512_add,
-    u512_sub
+    U512Fq2Ops, u512, U512BnAdd, Tuple2Add, U512BnSub, Tuple2Sub, mul_by_xi, mul_by_xi_nz,
+    u512_reduce, u512_add, u512_sub
 };
 use bn::fields::print::{FqPrintImpl, Fq2PrintImpl, Fq6PrintImpl, Fq12PrintImpl};
 use bn::fields::{Fq2, Fq2Ops, fq2, Fq2Frobenius};
@@ -194,13 +194,15 @@ impl Fq6MulShort of FieldMulShortcuts<Fq6, SixU512> {
         // Output:c = a · b = (c0 + c1v + c2v2) ∈ Fp6
         let Fq6 { c0: a0, c1: a1, c2: a2 } = self;
         let Fq6 { c0: b0, c1: b1, c2: b2 } = rhs;
+        let field_nz = FIELD.try_into().unwrap();
+
         // v0 = a0b0, v1 = a1b1, v2 = a2b2
         let (V0, V1, V2,) = (a0.u_mul(b0), a1.u_mul(b1), a2.u_mul(b2),);
 
         // c0 = v0 + ξ((a1 + a2)(b1 + b2) - v1 - v2)
-        let C0 = V0 + mul_by_xi(a1.u_add(a2).u_mul(b1.u_add(b2)) - V1 - V2);
+        let C0 = V0 + mul_by_xi_nz(a1.u_add(a2).u_mul(b1.u_add(b2)) - V1 - V2, field_nz);
         // c1 =(a0 + a1)(b0 + b1) - v0 - v1 + ξv2
-        let C1 = a0.u_add(a1).u_mul(b0.u_add(b1)) - V0 - V1 + mul_by_xi(V2);
+        let C1 = a0.u_add(a1).u_mul(b0.u_add(b1)) - V0 - V1 + mul_by_xi_nz(V2, field_nz);
         // c2 = (a0 + a2)(b0 + b2) - v0 + v1 - v2,
         let C2 = a0.u_add(a2).u_mul(b0.u_add(b2)) - V0 + V1 - V2;
 
@@ -214,6 +216,7 @@ impl Fq6MulShort of FieldMulShortcuts<Fq6, SixU512> {
     fn u_sqr(self: Fq6) -> SixU512 {
         core::internal::revoke_ap_tracking();
         let Fq6 { c0, c1, c2 } = self;
+        let field_nz = FIELD.try_into().unwrap();
 
         // let s0 = c0.sqr();
         let S0 = c0.u_sqr();
@@ -231,9 +234,9 @@ impl Fq6MulShort of FieldMulShortcuts<Fq6, SixU512> {
         let S4 = c2.u_sqr();
 
         // let c0 = s0 + s3.mul_by_nonresidue();
-        let C0 = S0 + mul_by_xi(S3);
+        let C0 = S0 + mul_by_xi_nz(S3, field_nz);
         // let c1 = s1 + s4.mul_by_nonresidue();
-        let C1 = S1 + mul_by_xi(S4);
+        let C1 = S1 + mul_by_xi_nz(S4, field_nz);
         // let c2 = s1 + s2 + s3 - s0 - s4;
         let C2 = S1 + S2 + S3 - S0 - S4;
         (C0, C1, C2)
@@ -292,16 +295,16 @@ impl Fq6Ops of FieldOps<Fq6> {
         let field_nz = FIELD.try_into().unwrap();
         let Fq6 { c0, c1, c2 } = self;
         // let c0 = self.c0.sqr() - self.c1 * self.c2.mul_by_nonresidue();
-        let v0 = c0.u_sqr() - mul_by_xi(c1.u_mul(c2));
+        let v0 = c0.u_sqr() - mul_by_xi_nz(c1.u_mul(c2), field_nz);
         let v0 = v0.to_fq(field_nz);
         // let c1 = self.c2.sqr().mul_by_nonresidue() - self.c0 * self.c1;
-        let V1 = mul_by_xi(c2.u_sqr()) - c0.u_mul(c1);
+        let V1 = mul_by_xi_nz(c2.u_sqr(), field_nz) - c0.u_mul(c1);
         let v1 = V1.to_fq(field_nz);
         // let c2 = self.c1.sqr() - self.c0 * self.c2;
         let V2 = c1.u_sqr() - c0.u_mul(c2);
         let v2 = V2.to_fq(field_nz);
         // let t = ((self.c2 * c1 + self.c1 * c2).mul_by_nonresidue() + self.c0 * c0).inv();
-        let t = (mul_by_xi(c2.u_mul(v1) + c1.u_mul(v2)) + c0.u_mul(v0))
+        let t = (mul_by_xi_nz(c2.u_mul(v1) + c1.u_mul(v2), field_nz) + c0.u_mul(v0))
             .to_fq(field_nz)
             .inv(field_nz);
         Fq6 { c0: t * v0, c1: t * v1, c2: t * v2, }

Diff for: src/fields/tests/fq12_expo.cairo

@@ -9,7 +9,7 @@ use bn::fields::{
 use bn::curve::{
     FIELD, u512, Tuple2Add, Tuple2Sub, U512BnAdd, U512BnSub, u512_sub_u256, u512_add, u512_sub
 };
-use bn::fields::fq_12_expo::{x2, x3, x4, X2, mul_by_xi, Krbn2345};
+use bn::fields::fq_12_expo::{x2, x3, x4, X2, mul_by_xi_nz, Krbn2345};
 use bn::fields::fq_generics::{TFqAdd, TFqSub, TFqMul, TFqDiv, TFqNeg, TFqPartialEq,};
 use bn::fields::print::{Fq12Display, Fq2Display};
 use debug::PrintTrait;
@@ -52,7 +52,7 @@ fn sqr() -> Fq12 {
 // fn krbn_experiments() {
 //     let Fq12 { c0: Fq6 { c0: _, c1: _, c2: g2 }, c1: Fq6 { c0: g3, c1: g4, c2: g5 } } =
 //         a_cyc();
-//     let _field_nz: NonZero<u256> = FIELD.try_into().unwrap();
+//     let field_nz: NonZero<u256> = FIELD.try_into().unwrap();
 //     let asq = sqr();
 //     // Si,j = (gi + gj )^2 and Si = gi^2
 //     // let S2: (u512, u512) = g2.u_sqr();
@@ -72,7 +72,7 @@ fn sqr() -> Fq12 {
 //     // h₅ = 2g₅ + 3 ((g₂+g₃)²-g₂²-g₃²)
 
 //     // h2 = 3(S4_5 − S4 − S5)ξ + 2g2;
-//     // let _h2: (u512, u512) = X3(mul_by_xi(S4_5 - S4 - S5)).u512_add_fq(g2.u_add(g2));
+//     // let _h2: (u512, u512) = X3(mul_by_xi_nz(S4_5 - S4 - S5, field_nz)).u512_add_fq(g2.u_add(g2));
 //     // let h2: Fq2 = _h2.to_fq(field_nz);
 
 //     // h₂ = 2g₂ + 3ξ((g₄+g₅)²-g₄²-g₅²)